trust your corporation for keyowner identification?

Doug Barton dougb at dougbarton.us
Wed Oct 16 21:51:15 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/16/2013 05:04 AM, Brian J. Murrell wrote:
| If you worked in a corporate environment, would you trust the HR
| department there to have verified the identity of employees well
| enough to leverage that into signing a GPG key?
|
| Let's say such an environment had an messaging system where
| employees had to authenticate with their corporate IT credentials
| in order to use the system.  Would that, and the assertion by HR/IT
| that a message that I get from Bob really did come from the
| employee HR verified as Bob (i.e. when they hired him) be enough
| for you trust the key you get from Bob enough to sign it that it
| really is really Bob's?

What would the purpose of such a signature be? Would you be
distributing your signature, or would it be local to your key ring? If
you're distributing the signature, would you distribute it only within
the company, or outside too? Are you talking about signing with your
personal key, or signing with your company key? If the latter, does
that key ever see the light of day outside the company?

Just to be clear, I'm not being snarky here. As others have said you
have asked an interesting question, but there are not enough details
(for me at least) to give you an answer.

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCAAGBQJSXu4zAAoJEFzGhvEaGryEzs0IALynXU0C9+oH9brK4LBwbKWJ
FHGnQC7HPnPUYS/S7kbMWV4DID9L8x4xV9KJxDoPZ9MaFFLY3d5OGhDpj5IoHJ8T
ehLXbqsHto6sKiZ0un3uWAYowS8TyIhk3UwR5tyzJIJRhP6kvfJpvKRmtjfHaymV
1K6xgVnXv9PfoCVsFQiN7Q/L30fnzWoIdIJbAJ+M5kbKvXdqWRFgTUBLLrdyqJUA
wA022xB+RA9glk1Kb8gDAZohMBcPz9oLEdDs0z/hnSOU4T5BBQi+O5Xu/4/uAjjw
8qtNWUuITOJtvkYxp2we209Dt/H2YzYnZttRZnjo/vmInQiWFDO6dBc+yo3rjYc=
=Hgba
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list